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Diffie  and  Heilman  [2]  propose  the  use  of  the  exponential 

is  stw/,e<x 

function  in  a finite  field  for  cryptographic  purposes^.  The 
proposal  is  based  on  the  conjecture  that  the  inverse  function, 
the  logarithm,  is  not  feasibly  computable.  THYow  tTTsrt  a 

proof  of  this  conjecture  would  have  important  consequences 
for  theoretical  computer  science,  even  under  the  assumption 
that  P / J)  NP . 
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Diffie  and  Heilman  [2]  propose  the  use  of  the  exponential 
function  in  a finite  field  for  cryptographic  purposes.  The 
proposal  is  based  on  the  conjecture  that  the  inverse  function, 
the  logarithm,  is  not  feasibly  computable.  We  show  that  a 
proof  of  this  conjecture  would  have  important  consequences 
for  theoretical  computer  science,  even  under  the  assumption 
that  P ^ NP. 

Our  observation  is  based  on  the  following  idea.  (|i|  here 
represents  the  length  of  binary  representation  of  i). 


Proposition: 

Suppose  f has  the  following  properties: 


f (i)  I = 


is  one-one  and  onto,  f is  computable  in  polynomial  time  and 
f * is  not  polynomial  time  computable.  Then  the  set 
S = {<n,m>  | f ^"(n)  > m)  is  in  NP  nCoNP  - P.  Moreover,  if 
f ^ is  NP  -hard  then  NP  = CoNP. 

Proof : 

S is  in  NP,  since  on  input  <n,m>  a nondeterministic 
algorithm  can  guess  i of  length  |n|,  verify  f(i)=n  and  accept 
if  i>m.  Similarly  S is  in  CoNP  (guess  i,  verify  f(i)=n  and 
accept  if  ism).  S is  not  in  P,  otherwise  f~^(n)  can  be  com- 
puted in  polynomial  time  as  follows.  f_1(n)  is  one  of  at  most 
2 1 possible  values.  By  binary  search  where  each  query  <n,k> 
of  S divides  the  range  in  half,  we  can  uniquely  determine 
f-1(n)  within  |n|  queries.  Moreover,  if  f-1  is  NP-hard  so 
is  S.  But  S fNPnCoNP.  Therefore  NP=CoNP.  □ 


The  function  proposed  by  Diffie  and  Heilman,  namely 
expr,p  <n)s*n  (nod  p) , does  not  quite  satisfy  the  proposition. 


since  it  is  not  length  preserving  and  moreover  if  p is  not 
prime  or  r is  not  a primitive  element  modulo  p,  it  is  not 
one-one.  However,  a slightly  more  complicated  proof  will 
obtain  a similar  result. 

Define  the  logarithm  function  log(p,r,n)  £.s  follows.  If 
P is  a prime  and  r is  a primitive  element  modulo  p,  then 
log(p,r,n)  is  the  unique  m such  that  0<m<p  and  rmHn  (mod  p) . 
Otherwise  log(p,r,n)  is  0. 

Theorem: 

If  log(p,r,n)  is  not  computable  in  polynomial  time,  then 
P £ NP  n CoNP. 

Proof : 

Consider  the  set  S = { (p,  r,  n,  t ) [log  (p,  r , n ) > t}. 

We  show  S is  in  NP  as  follows,  p is  a prime  and  r is  a prim- 
itive element  modulo  p if  and  only  if  rp-15l  (mod  p)  and  for 
each  q a prime  factor  of  p-1,  1 (mod  p)  [3],  These 

conditions  can  be  checked  in  nondeterministic  polynomial  time 
by  guessing  the  prime  decomposition  of  p-1  together  with 
certificates  (4]  that  each  of  the  factors  is  indeed  prime. 
Once  it  is  known  that  p is  prime  and  r a primitive  element, 
the  unique  m such  that  rm=n(mod  p)  can  be  guessed.  If  m>t, 
(p,r,n,t)  is  in  S. 

S is  also  in  CoNP.  A quadruple  (p,r,n,t)  is  not  in  S 
if  and  only  if  log(p,r,n) st.  The  condition  is  true  if  and 
only  if  either  there  are  i and  j,  0<i<j<p,  such  that  r*=  r^ 
(mod  p)  or  there  is  an  m such  that  rms  n (mod  p)  and  mst. 

Both  of  these  conditions  can  be  checked  nondeterministically 
in  polynomial  time. 


Now  if  we  are  given  an  oracle  for  the  set  S,  log(p,r,n) 
can  be  computed  in  deterministic  polynomial  using  binary  search. 


Hence  if  log(p,r,n)  is  not  polynomial  time  computable,  then 
S is  not  in  P.  D 


Additional  material  will  appear  in  [1],  together  with  a 
similar  result  for  the  cryptographic  method  based  on  prime 
decomposition  suggested  in  [5J. 
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